Inside the 2017 Verizon DBIR

The tenth edition of the Verizon Data Breach Investigations Report is now available and MWR is again a contributor to the data analyzed.

It’s that time of year again when we reflect back, comb through the data, and look to see what we can garner to combat emerging trends in data breach incidents.

As a contributor once again to the 2017 DBIR, all metrics from MWR’s global Investigations & Incident Response practice are represented in the data set. We’re big advocates of sharing insights to the root causes behind major breaches so that all can benefit from the misfortunes of the few. In doing so, we hope readers can help us reduce the frequency of incidents we see repeated in industry sectors that need to understand the threats they should be focusing on.

93% of breaches involved either financial or espionage related motivations

How to get the most from the report?

The DBIR is seen by many as a fascinating insight into what really goes on in data breaches, but the real value is in using it as a means to direct investment in security controls that have the greatest impact on mitigating real world threats to your business.

Incident patterns, the naturally forming clusters identified first in 2014 when comparing the spread of incident metrics, are key to unlocking this value. This year’s report, more than ever, has an industry specific focus. As such, there is something for everyone and valuable insights into what the causes of and motivations are for breaches in each industry vertical. For this, figure 9 is your key to getting the most from the report, showing which incident patterns are associated most prominently within each industry vertical. Diving into the details of incident patterns that affect your corner of the security world is the best way to begin using the data most effectively.

The big threats

All the passwords

Over a billion credentials are known to have been stolen in the last year, particularly from web portals and sites that exclude online retail. If you run an online service where users authenticate, it’s time to brace yourselves for the script kiddie account checker scripts and start thinking multi-factor authentication if you haven’t already.

Figure 6 – Number of records per data variety over time

Espionage

Whether associated with economic, political or military advantage, and whether actually carried out by nation states or others, espionage is proportionately trending up in the breach data.

Figure 3 – Threat actor motives over time

Certain industries are bearing the brunt of this threat. With almost half of the data breaches in the public administration vertical linked to state affiliated actors, these are unsurprisingly the playground of intelligence agencies.

If you happen to be in Manufacturing and didn’t know it already, industrial espionage is your biggest threat. Amazingly in this vertical, 91% of data compromised was classed as secrets, 93% of threat actors were classified as external and 94% of breaches were associated with espionage as a threat actor motivation.

The good news is that, while these attacks are often quite advanced, they are also long running with over half of these taking years to discover. This means there is genuinely an opportunity to apply modern attack detection techniques such as threat hunting to pick up and contain these attacks early.

With social engineering through email phishing still being a key factor to the success of espionage incidents, good user behavior programs and tooling to detect or allow reporting of phishing are key controls to focus on.

Ransomware

Ransomware continues onward and upward in its prevalence and is the fifth most common form of malware in this year’s report. While progress is being made combatting the commodity variants and dealing with the growing “Ransomware as a Service” threat, attackers have moved from single endpoints towards interactive attacks that target organizations. This is reflected in this year’s report and is certainly reflected in MWR’s caseload, which saw a 250% increase in ransomware cases last year, compared with 2015.

In 2016, the US-CERT observed a 300 % year-on-year growth in infections, and this trend continues into 2017. How does this stack up with what we are seeing? MWR conducts the majority of its incident response casework across Europe and Africa. As we have seen, the ransomware threat continues to evolve, with the prevalence of organized crime groups targeting corporate networks rapidly increasing due to the profitability of such attacks.

While there has been a rapid expansion in capabilities of ransomware to target network shares, encrypting vast amounts of corporate data, attackers soon learned that large organizations were willing and capable of paying much more than individual users. This in turn has pushed forward the ransomware capabilities and delivery techniques to replicate those of espionage type attacks effecting widespread domain compromise, ransoms in the million dollar ranges, online backup destruction and enterprise wide infection.

With this in mind, MWR has developed an anti-ransomware agent, RansomFlare, which uses a combination of machine learning and behavioral analysis to identify ransomware as soon as it runs on a computer system with rapid remote incident response and containment.

MWR InfoSecurity provide specialist advice and solutions in all areas of cyber security, from professional and managed services, through to developing commercial and open source security tools. More about MWR.